If something goes wrong, here's what happens.

• Automated monitoring of authentication failures, rate limit breaches, and audit-log anomalies.
• Crash and error reporting via Sentry, reviewed daily.
• Sub-processor incident notifications — every vendor listed on our sub-processor register is contractually obliged to notify us promptly of any incident affecting PracticaCPD data.
• Responsible-disclosure reports via security@practicacpd.com.au.
• Direct reports from users or practices via support@practicacpd.com.au.

Within 24 hours of becoming aware of a suspected incident, we make an initial severity classification (P1 / P2 / P3) and begin formal response. Within 72 hours we aim to have contained the issue or confirmed no actual breach occurred.

The full NDB statutory window for assessing whether an “eligible data breach” has occurred is 30 days. Where we can move faster, we do.

Our first priority is always containment — stopping further unauthorised access. This may involve revoking sessions, rotating keys, disabling features, or taking parts of the platform offline. We accept service disruption as the lesser harm.

Once contained, we assess what data was involved, how many users are affected, and what real-world harm is reasonably likely.

If we conclude that the breach is likely to result in serious harm to one or more affected individuals — defined under section 26WG of the Privacy Act — we will:

• Notify the Office of the Australian Information Commissioner (OAIC) using their statutory form, and
• Notify each affected individual by email to their registered address, and
• Publish a notice on this page and on the homepage banner of practicacpd.com.au.

We aim to notify within 72 hours of confirming a serious-harm breach, even though the statutory window is longer.

If a breach is contained without serious-harm risk materialising (e.g. an internal misconfiguration with no evidence of exfiltration), we are not legally required to notify and may not — but we will record it in our internal log and review the cause.

• What happened, in plain English.
• What data of yours was, or may have been, involved.
• What we have done to contain and fix it.
• What you can do (e.g. rotate a password elsewhere, watch for phishing).
• How to contact us with questions, and how to escalate to the OAIC if you're not satisfied.

Every incident — serious-harm or otherwise — triggers a written post-mortem within 14 days of containment. The post-mortem covers root cause, contributing factors, what we changed, and what we'll do differently. Lessons learned are folded back into our controls.

Material post-mortems for serious incidents are published on this page in summary form.

None disclosed at this time. This section will be populated if and when an eligible data breach occurs.

• To report a suspected security incident, even one you only partially confirmed: security@practicacpd.com.au.
• For privacy or data-handling concerns more generally: support@practicacpd.com.au.
• To escalate to the regulator at any time: oaic.gov.au.